A blog of my ideas, lessions learnt and HOWTOs

Monthly Archives: October 2013

Say you’re running a webserver with API’s that offer specific services to customers, which as a result generates some form of valuable output file like reports etc. Or possibly the opposite situation, where frequent uploads of files such as a databases are necessary for the use of the webapp services.

Despite these reports being generated and easily accessible for download via the webportal, as well as the ability for uploading necessary files to the webapps, there is always going to be a user that wants to be able to do this in a different manner.

And who can blame them when user is dealing with the personal information of their client base, and also wants to be able to achieve a form of file management that can be scripted and automated?

So how can we give them this access in a manner that restricts their ability to interact with the rest of the server? The answer is a jailed SFTP account.

Prerequisites:

OpenSSH 5 (I had to upgrade OpenSSH manually because CentOS 5 natively supports a previous version that wouldn’t suffice for this purpose).

…if by chance you need to do the same on CentOS or another RPM distro that has the same limitation, follow the installation instructions in this guide:

Configuring:

Locate out the following line and comment out with a # if not already done so:

# Subsystem sftp /usr/libexec/openssh/sftp-server

Scroll down and append the following to the end:

Subsystem sftp internal-sftp

Match Group sftponly

ChrootDirectory /home/%u

ForceCommand internal-sftp

AllowTcpForwarding no

Restart the SSH service:

# /etc/init.d/sshd restart

…..(or # service ssh restart depending on distro)

Now we need to make an account and folder that a user can read and write to, yet with restricted permissions to the user home folder itself, no access to any other folders on the server and most of all NO SHELL ACCESS.

The best way to achieve this is to set up a jailed chroot, so when they connect via SFTP to /home/<user>/ it will appear to them as the root directory where they are not the owner and they cannot write to. This is particularly important because otherwise they could potentially alter SSH configuration files, such as the pubkeys – an obvious security risk.

Instead the folder /home/<user>/sftp/ (or to them /sftp) is created where they have ownership along with read and write permissions.

Firstly we need to create a group for the user called ‘sftponly’, just like we specified in the sshd config file:

# groupadd sftponly

Now if you’re lazy, feel free to run this interactive script I created that will do the rest. Simply copy the output below into a file, name it what you want, and run it as so.

# bash /path/to/script

***Remember to chmod +x the file first.

Then, simply follow the prompts.

Otherwise you can just follow the command order in the script or alter to suit your fancy.

Be sure to generate and copy the pubkey onto the server if you want the script to add it automatically, otherwise you can do it manually later by copying it into ~/.ssh/authorized_keys file.

#!/usr/bin/env bash
# This script serves to create and configure new user accounts for SFTP
# Just enter in the details correctly when prompted and it'll do it all for you.
# You can thank me later ;) -- Your friendly admin.
#
# Note: Script must be run as root. Run as "bash SFTPcreator.sh"
# Note: Tested only on CentOS 5.9
# Note: Requires OpenSSH 5
# Pre-Config: Make sure the following is matched in sshd_config:
#
#
# " #Subsystem sftp /usr/libexec/openssh/sftp-server"
#
# ...as well as:
#
# " Subsystem sftp internal-sftp
# Match Group sftponly
# ChrootDirectory /home/%u
# ForceCommand internal-sftp
# AllowTcpForwarding no "
#